Adding AllowOpen to AllowLlvmSanitizers to avoid having to add AllowOpen in addition when it's only needed for running under the sanitizers. In cases where SAPI users overwrite the default policy instead of extending it, the sandbox will fail with an `openat` violation. This is automatically inherited in the default policy. The advantage with this implementation is that we don't expose the open* syscalls when not running under the sanitizers. PiperOrigin-RevId: 550845188 Change-Id: I151d467848983b00b71ec8447d662394fa7176db

commit: 04ed89906b48175e02cc9faf6d52b05278ec367b [log] [tgz]
author: Oliver Kunz <okunz@google.com> Tue Jul 25 04:37:13 2023 -0700
committer: Copybara-Service <copybara-worker@google.com> Tue Jul 25 04:38:43 2023 -0700
tree: 649eb9bc3b0bdcba8b2b697f831d42fd254c3ddc
parent: 9d1d4b7fd38270e825bdc1cda80cbda51ed46d17 [diff]
diff --git a/sandboxed_api/sandbox2/policybuilder.cc b/sandboxed_api/sandbox2/policybuilder.cc
index 8f6134c..de7f89f 100644
--- a/sandboxed_api/sandbox2/policybuilder.cc
+++ b/sandboxed_api/sandbox2/policybuilder.cc

@@ -327,6 +327,7 @@
     // Sanitizers read from /proc. For example:
     // https://github.com/llvm/llvm-project/blob/634da7a1c61ee8c173e90a841eb1f4ea03caa20b/compiler-rt/lib/sanitizer_common/sanitizer_linux.cpp#L1155
     AddDirectoryIfNamespaced("/proc");
+    AllowOpen();
     // Sanitizers need pid for reports. For example:
     // https://github.com/llvm/llvm-project/blob/634da7a1c61ee8c173e90a841eb1f4ea03caa20b/compiler-rt/lib/sanitizer_common/sanitizer_linux.cpp#L740
     AllowGetPIDs();
commit	04ed89906b48175e02cc9faf6d52b05278ec367b	[log] [tgz]
author	Oliver Kunz <okunz@google.com>	Tue Jul 25 04:37:13 2023 -0700
committer	Copybara-Service <copybara-worker@google.com>	Tue Jul 25 04:38:43 2023 -0700
tree	649eb9bc3b0bdcba8b2b697f831d42fd254c3ddc
parent	9d1d4b7fd38270e825bdc1cda80cbda51ed46d17 [diff]